Monday, 25 November 2013

Password Hints

OK let me preface this by saying this: I absolutely hate password
hints and secret questions. Generally speaking anything you put in there
can be found by friending someone on facebook, a quick google or simply
guessing. They are the epitome of a bad idea, sure they have some use.
If you forget your password the hint if constructed correctly could
remind you and only you, however most people don't understand this.
If
it is a secret question an answer, where the question is predefined
such as mothers maiden name, it can take a few guesses (smith anyone),
or a quick google.com search and you will have it. Everything else is
trivial, and this was how Sarah Palin's yahoo email account was
humorously compromised back in 2008.

Forgetting all that, adobe gave us another insight as to why it is bad.

I
know a lot has been said about adobe, including the excellent (although
conservative number of users impacted) article by Brian Krebs here.

But there is something else that needs to be learnt from this breach.
Sure
your password hint could be terrible but maybe the web application logs
someones IP when they go to that for later alerting etc if a bad guy
does compromise the account. But what if the DB gets walked, and all
those juicy password hints or secret questions and answers are stored in
plain text... then you have a problem even if you correctly store you
passwords (which adobe didn't).

So lets say you do
correctly store your password as a per-user salted sha1+ hash, good, but
now you allow users to have a password hint like adobe. When someone
has their password hint as their password in another language then they
fail very quickly. For example (this is not a real entry, but made to
look like one from the adobe breach);

If we forgive the obviously non-hashed password in the 4th column, we see
in the last column the password hint is simply Gato x3, or you know
maybe Cat typed out three times. So even if this entry had an
irreversible hashed password, the hint would give it all away if the DB
where accessed.
Maybe they should instead store their hint as a reversible encrypted string
with an individual key for each user. This would mean the server when
the user wants to use their password hint would look up the key from the
internally accessible internal key server for the username and decrypt
the hint. It would mean if the db is walked via an SQL injection or
direct attack they aren't necessarily going to get the keys to decrypt
the password hint. For a secret question and answer, you should salt and
hash the answer and if you are using user defined questions you should
encrypt those too just to reduce what is leaked...

Using an encrypted password with the same decryption key for all users or using an unsalted hash means that the resulting password string whether it is BsscHGd8aIjiwxG2CaWrHSw== or 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 will be the same across all users meaning if you break one you break them all. The same goes for your "password hint" or "secret question and answer", should people take my advice and start encrypting them.

Of course all of this only works if you care about security. If you aren't
going to hash your passwords. Or worse store them in plain text as Cupid Media did, then you probably don't care about users password hints, and will probably store them in plain text.
Realistically no-one has any excuse now, google authenticator for two factor has been
open sourced, OpenID, SAML can be used to authenticate you to a central
store and then you are done, like UbuntuForums did, post their breach, move to UbuntuOne the openID provider. People like adobe should really switch to
one of these, to reduce their authentication load. The users should be forced at these central providers to
2-factor auth. If you forget your password at one of these central
providers then you have a convoluted way to retrieve it via out of band
identification, via either partnership with a bank or other multi-vendor approach, eg go into these news agencies and show 100 points of ID to get your password reset.

My point I am trying to make
is this, if it is used for authentication it should be encrypted,
preferably and sufficiently strong hash (SHA1 or greater) that is salted. Nothing but the username and row ID of
your authentication table should be plain text. It is only a matter of
time before these passwords in the 10gb adobe database are broken and
the key used to decrypt them is found, if it hasn't happened already.

Add these ~130million adobe accounts with the 42million from the Cupid Media and I think we should
declare this month, change password November, I know the few sites that used the same password as my account on adobe have now all been changed, have yours? If you use the same password everywhere, then now is the time to look at keepass or lastpass to store your single use passwords in a manner that allows for your protection. Heck even Google's Chrome and Firefox have built in password managers with cloud sync and encryption, so there really is no excuse.

I am doing a CTF for some peeps, thought I'd put this here to be searchable.. these are the real sums of these phrases;
2D579CD75056723657B8FA68FA6626C245CD362030159965EFBDF41DA2D67ADF:redherring
86DB5B1C2D9C1854FE5B80318FBC806C53EDD2C5DBABAFA42CC909A867AE3E21:RedHerring
BC1A7086C334A3C3E2AC638DF4C82A58DEBC6CF2DAF05C4B1D17E9896BC69908:red herring Or check it here; https://passwordsgenerator.net/sha256-hash-generator/ or on your bash shell with echo -n redherring | sha256sum